Networked and Embedded Control Systems
Jerome Le Ny
ESE 680, Spring 2011
Upenn
Outline
• MoCvaCon and Examples
• IntroducCon to NECS Issues
• AdministraCve Stuff
MoCvaCon and Examples
Cyber-‐Physical Systems (CPS)InformaCon/CompuCng Systems InteracCng with physical systems, broadly
Increasingly integrated systems: sharing of sensing, actuaCon, computaCon and communicaCon resources across distributed systems
Networked and Embedded Control Systems (NECS, NCS)
Modern cars: 40-‐100 networked microprocessors(brakes, ESC, transmission, engine, safety, climate, emissions, mulCmedia, …) Several CAN and other busesBoeing 777: 1280 networked microprocessors
good design Principles?
2-‐5 million lines of code
Embedded Control CharacterisCcs• Dependability
– Safety (stability), reliability, security– E.g.: flight control or cruise control in cars– Cer>fica>on issues, e.g. DO 178-‐B in aerospace. Formal guarantees?
• currently most cer>fica>on standards are process based
• Performance guarantees (e.g. standard control specifica>ons)vs• Cost constraints
– OKen mass-‐market products, e.g. cars– Associated computa>on, communica>on, memory, energy constraints…– Flexibility, ease and speed of development (COTS components, code
reuse). BeQer system integra>on methods cri>cal for future complex system development
– Maintainability is very important, might need to handle evolu>ons and upgrades easily and safely
Similar Issues at all Scales...
-‐Safety-‐Performance-‐Sensing and Control-‐Network effects-‐Distributed informa>on-‐Humans in the loop-‐Heterogeneous components-‐Cer>fica>on issues, system of systems -‐gradual evolu>on
See for example the Microsoft Security Bulletins MS02-065, MS04-011, etc.
!"#$%&'($)*+',-".$)"/)0112
4$'$&()'56)7#"895,&()$%'$)&:7	&5,&6)$%&);+',-".$
<%&) !"#$%&'($) *+',-".$) "/) 0112) ='() '
>'((98&) =96&(7#&'6) 7"=&#) ".$'?&) $%'$
",,.##&6) $%#".?%".$) 7'#$() "/) $%&
!"#$%&'($)'56)@96=&($)A59$&6)4$'$&(
'56) B5$'#9"C) D'5'6') "5) <%.#(6'EC) F.?.($
3GC) 0112C) '$) '77#":9>'$&+E) GH33) 7I>I) JK<
LA<DM1GN) I) F$) $%&) $9>&C) 9$) ='() $%&) (&,"56
>"($) =96&(7#&'6) &+&,$#9,'+) ;+',-".$) 95
%9($"#EC) '/$&#) $%&) 3OOO) 4".$%) *#'P9+
;+',-".$IQ3R) Q0R) <%&) ;+',-".$) '//&,$&6) '5
&($9>'$&6) 31)>9++9"5) 7&"7+&) 95)B5$'#9") '56
GS)>9++9"5)7&"7+&)95)&9?%$)AI4I)($'$&(I
!"#$"%&"'()'"*"%+,4%&)/"++"5678)6()$%&)9+',-".$:()(&;.&7,&)"/)&<&7$()"7)=.8.($)>?@)0112
A>2B)A>?B
)A>3B)
C$6D&()67)EF4GH
I >0H>3)JKDK)L7,"##&,$)$&+&D&$#M)N'$')#&7N&#()67"J&#'$6<&)$%&)($'$&)&($6D'$"#@)')J"5&#)/+"5)D"76$"#678)$""+)"J&#'$&N
9M)$%&)L7N6'7'O9'(&N)P6N5&($)L7N&J&7N&7$)4#'7(D6((6"7)QM($&D)RJ&#'$"#)CPLQRGK)=7)"J&#'$"#),"##&,$()$%&
$&+&D&$#M)J#"9+&D)9.$)/"#8&$()$")#&($'#$)$%&)D"76$"#678)$""+K
I >H2>)JKDK)4%&)E'($+'-&@)R%6")8&7&#'$678)J+'7$)(%.$()N"57K)4%&)J+'7$)6()"57&N)9M)S6#($E7M@)'7)=-#"7@
R%6"O9'(&N),"DJ'7M)$%'$)%'N)&TJ&7,&N)&T$&7(6<&)#&,&7$)D'67$&7'7,&)J#"9+&D(K
I 0H10)JKDK)4%&)/6#($)"/)(&<&#'+)2?3)-U)"<&#%&'N)$#'7(D6((6"7)+67&()67)7"#$%&'($)R%6")/'6+()N.&)$"),"7$',$)56$%)')$#&&
67)V'+$"7)W6++(@)R%6"KA>XB
)A>YB
I 0H>?)JKDK)=7)'+'#D)(M($&D)/'6+()'$)S6#($E7M:(),"7$#"+)#""D)'7N)6()7"$)#&J'6#&NK
I 2H13)JKDK)=)2?3)-U)$#'7(D6((6"7)+67&)-7"57)'()$%&)Z%'D9&#+'67OW'#N678)+67&)/'6+()67)['#D'@)(".$%)"/)Z+&<&+'7N@
N.&)$")')$#&&K
I 2H>Y)JKDK)U"+$'8&)N6J()$&DJ"#'#6+M)"7)$%&)R%6")J"#$6"7)"/)$%&)8#6NK)Z"7$#"++&#()$'-&)7")',$6"7K
I 2H20)JKDK)["5&#)(%6/$&N)9M)$%&)/6#($)/'6+.#&)"7$")'7"$%&#)2?3)-U)J"5&#)+67&@)$%&)W'77'O\.76J&#)67$&#,"77&,$6"7@
,'.(&()6$)$")('8)67$")')$#&&@)9#678678)6$)"//+67&)'()5&++K)V%6+&)PLQR)'7N)S6#($E7M),"7$#"++&#(),"7,&7$#'$&)"7
.7N&#($'7N678)$%&)/'6+.#&(@)$%&M)/'6+)$")67/"#D)(M($&D),"7$#"++&#()67)7&'#9M)($'$&(K
I 2H2])JKDK)=)S6#($E7M)>2^)-U)+67&)/'6+()67)7"#$%)R%6"KA>^B
Some Mishaps…
Bugs in soYware, but also in specificaCons!ParCcularly problemaCc because many CPS are safety-‐criCcal
7 Courtesy of © Wind River Inc. 2008 – IEEE-CS Seminar – June 4th, 2008
Federated vs. IMA
RadarSensor systems
FLIREO/OP
Engine ControlsEngine Monitoring
Fire Control
Weapons ControlStores ManagementTargeting Computer
Flight ControlsFlight Management
Inertial Reference System
DisplaysNavigation Computer
Mission Computer
8 Courtesy of © Wind River Inc. 2008 – IEEE-CS Seminar – June 4th, 2008
Federated vs. IMAFlight Controls
Flight ManagementInertial Reference System
RadarSensor systems
FLIREO/OP
Engine ControlsEngine Monitoring
Fire Control
Weapons ControlStores ManagementTargeting Computer
DisplaysNavigation Computer
Mission Computer
AutopilotOther
Systems,etc.
Heads-upDisplay
InertialPlatform
Transmitter Receiver ReceiverReceiver
EndSystem
EndSystem
EndSystem
OtherSystems,
etc.
Heads-upDisplay
InertialPlatform
Switch
Azimuth dataTwisted-pair copper wire
Simplex100 Kbps (maximum)Up to 20 receivers
Full duplex100 Mbps (maximum)Number of connections governed by number of switch ports
Two pairscategory 5 UTPtwisted-paircopper wire
ARINC 429
AFDX
ARINC 653Sampling portsQueuing ports
Avionics Computer System
EndSystem
AvionicsSubsystemPartition 1
AvionicsSubsystemPartition 3
AvionicsSubsystemPartition 2
Controllers
Sensors
Actuators
AFDXSwitch
AFDXNetwork
ARINC 664, Part 7AFDX communications ports Sampling ports Queuing ports Service access point port
[© Wind River]
[© GE]
Trends in NECS
A]empt at Controlling Growing System Complexity, while-‐ Properly managing resources (computaConal, communicaCon)-‐ Guaranteeing Cmings: important for control
Trends in NECS II
• Toward rigorous Model Based Engineering vs. process based cerCficaCon– e.g. DO 178B replacement– ulCmate goal: want to reason about high-‐level models, then generate correct
controllers and code from these models– introduce more formal methods
• ComposiConality?– e.g. needed to add and remove small generators in electric grid– component reusability to reduce development costs– modular design with isolated components to avoid recerCficaCon during
incremental changes
IntroducCon to NECS Issues
Sampled-‐Data Systems
• Classical theory of sampled-‐data systems is a good starCng point
• Three controller design approaches:
– discreCze a conCnuous-‐Cme design
– discrete-‐Cme design, neglect intersample behavior in synthesis
– direct sampled-‐data design (liYing) -‐ most rigorous but involved theory
then simulate design for poten>al issues
[©K.-E. Arzen, Lund]
Networked Control Systems• Adds delay, ji]er and possibly packets losses
• Managing access to the communicaCon network
• Focus of much of the current research literature in NCS
• Most models sCll very simplisCc
13
[©K.-E. Arzen, Lund]
Many ImplementaCon Choices
14
Plant Network
Controller (CPU)
Plant 2
Plan
t 3
Scheduler
S S S AA
K K
Schedulers
A S S A
N
N
NN
N
N
Real-‐Time Embedded Control Systems
15
y
y(tk!1)
y(tk )
y(tk+1)
Time
u
t k!1 t k tk+1
u(tk! 1)
u(t k)
Time
Con
trol
Va
ria
ble
Mea
sure
d V
ari
ab
le
Computa-tionallag "
• Output y(t) sampled periodically at time instants tk = kh
• Control u(t) generated after short and constant time delay !
classical controller Cming
y(t)
u(t)
rk!1 rk rk+1
Lk!1s Lk!1io Lks Lkio Lk+1s Lk+1io
sk!1 fk!1 sk fk sk+1 fk+1
Rk!1 Rk Rk+1
!
t
t
• Control task ! released periodically at time instances rk = kh
• Output y(t) sampled after time-varying sampling latency Ls
• Control u(t) generated after time-varying input-output latency Lio
Controller Cming with RTOS scheduler
CPU Cme management
using a Real-‐TimeOperaCng System
(RTOS)
-‐ system dedicated to control task-‐ Cming very predictable-‐ costly, li]le flexibility-‐ soYware and hardware becomesunmanageable as system becomesmore complex
Increased flexibility, but delays and non-‐determinism introduced by RTOS and network. Impact on control performance?
[©K.-E. Arzen, Lund]
[©K.-E. Arzen, Lund]
Control System SpecificaCons
• Stability• Analog Performance: transients and steady-‐state• Safety, absence of deadlocks• Liveness• Derive SpecificaCons– Which correspond to what is intuiCvely expected from the system
– Which are consistent (object of this course), backed by formal analysis, formal specificaCon language
• Develop system and soYware from them
for systems including both analog signals and switching logic: hybrid systems
About this course
• We will explore some of these issues– model based analysis and synthesis of digital controllers
– understand modern implementaCon issues: computaCon and communicaCon resource management, impact on control performance
– discuss complex specificaCons, cerCficaCon and verificaCon issues: formal methods (model checking, deducCve methods)
• This is a topics course: I’m here to help you learn, but what you will get out of it will mostly depend on your personal involvement in the subject– currently acCve research topics. We are far from a mature theory of system
design
– You should criCque and challenge the models we will discuss
– complexity and variety of issues make this subject interesCng to researchers with diverse backgrounds and interests: control engineering, real-‐Cme systems, logic and formal methods, etc.
Course Outline• Review of classical theory
– System modeling: con>nuous-‐>me and discrete-‐>me systems, automata including hybrid automata (2 lectures)
– Sampling and Sampled-‐Data Systems (2 lectures) -‐-‐> discre>za>ons of CT controllers
– Overview of 2 other classical digital control design: discrete methods and direct SD design (3-‐4 lectures)
• NECS issues:
– Examples of communica>on standards for control (FlexRay, ARINC 664). Intro to real-‐>me scheduling (1-‐2 lectures)
– Control for systems with delays and sampling jiQer via Lyapunov methods (2+ lectures)
– Input-‐output methods for NECS (2+ lectures). Passivity and wave variables for networked systems, relevant integral quadra>c constraints
• Formal methods for verifica>on and design (aKer Spring break):
– Discrete system abstrac>ons: exact and approximate bisimula>ons
– Model checking
– Intro to deduc>ve methods: Hoare logic for controller verifica>on, hybrid dynamic logic
• Addi>onal lectures
– external speakers: AADL (Oleg Sokolsky), possibly more.
– Student lectures.
AdministraCve Stuff
Grading
• Prepare a lecture (40%)– Review e.g. 2-‐3 related papers (choice guided by me).– Prepare lecture notes.– Lecture format free: slides or blackboard.
• Project (40-‐50%)– Design a control system, and do an analysis/simulaJon as realisJc as possible (including
effect of communicaJon protocol, real-‐Jme scheduler, etc.). Most realisJc: implement control algorithm on a microcontroller, w/ physical process possibly simulated (if have access to hardware and know how to program a RT system. Physical implementaJon not required).
– or explore a new design/analysis technique. Aim for a new contribuJon to the field of NECS.– No literature review accepted for this part (that’s the previous point).
• Homework (0-‐10%)– I might give a few exercises during the term to check your understanding of the material.
• ParJcipaJon ~10%– Influences grade subjecJvely in any case… – The course will be boring if I’m the only one speaking. Again, construcJve criJcism is strongly
encouraged. View this as a research seminar.
Example of Topics for Student Lectures
• Decentralized Control: decentralized fixed modes, quadraCc invariance, …
• Decentralized EsCmaCon: distributed LMS, RMS, distributed Kalman filtering, …
• Switched systems and applicaCons to NECS
• Event triggered sampling for control
• More advanced real-‐Cme scheduling for control
• Synchronous languages or other programming paradigms
• Other choices possible. To determine with me during first couple of weeks